Пример #1
0
func TestGenerateJWT(t *testing.T) {
	claims := &JWTClaims{
		ExpiresAt: time.Now().Add(time.Hour),
	}

	j := RS256JWTStrategy{
		PrivateKey: internal.MustRSAKey(),
	}

	token, sig, err := j.Generate(claims.ToMapClaims(), header)
	require.Nil(t, err, "%s", err)
	require.NotNil(t, token)

	sig, err = j.Validate(token)
	require.Nil(t, err, "%s", err)

	sig, err = j.Validate(token + "." + "0123456789")
	require.NotNil(t, err, "%s", err)

	partToken := strings.Split(token, ".")[2]

	sig, err = j.Validate(partToken)
	require.NotNil(t, err, "%s", err)

	// Reset private key
	j.PrivateKey = internal.MustRSAKey()

	// Lets validate the exp claim
	claims = &JWTClaims{
		ExpiresAt: time.Now().Add(-time.Hour),
	}
	token, sig, err = j.Generate(claims.ToMapClaims(), header)
	require.Nil(t, err, "%s", err)
	require.NotNil(t, token)
	//t.Logf("%s.%s", token, sig)

	sig, err = j.Validate(token)
	require.NotNil(t, err, "%s", err)

	// Lets validate the nbf claim
	claims = &JWTClaims{
		NotBefore: time.Now().Add(time.Hour),
	}
	token, sig, err = j.Generate(claims.ToMapClaims(), header)
	require.Nil(t, err, "%s", err)
	require.NotNil(t, token)
	//t.Logf("%s.%s", token, sig)
	sig, err = j.Validate(token)
	require.NotNil(t, err, "%s", err)
	require.Empty(t, sig, "%s", err)
}
Пример #2
0
func TestHash(t *testing.T) {
	j := RS256JWTStrategy{
		PrivateKey: internal.MustRSAKey(),
	}
	in := []byte("foo")
	out, err := j.Hash(in)
	assert.Nil(t, err)
	assert.NotEqual(t, in, out)
}
Пример #3
0
func TestValidateSignatureRejectsJWT(t *testing.T) {
	var err error
	j := RS256JWTStrategy{
		PrivateKey: internal.MustRSAKey(),
	}

	for k, c := range []string{
		"",
		" ",
		"foo.bar",
		"foo.",
		".foo",
	} {
		_, err = j.Validate(c)
		assert.NotNil(t, err, "%s", err)
		t.Logf("Passed test case %d", k)
	}
}
func TestOIDCImplicitFlow(t *testing.T) {
	session := &defaultSession{
		DefaultSession: &openid.DefaultSession{
			Claims: &jwt.IDTokenClaims{
				Subject: "peter",
			},
			Headers: &jwt.Headers{},
		},
	}
	f := compose.ComposeAllEnabled(new(compose.Config), fositeStore, []byte("some-secret-thats-random"), internal.MustRSAKey())
	ts := mockServer(t, f, session)
	defer ts.Close()

	oauthClient := newOAuth2Client(ts)
	fositeStore.Clients["my-client"].RedirectURIs[0] = ts.URL + "/callback"

	var state = "12345678901234567890"
	for k, c := range []struct {
		responseType string
		description  string
		nonce        string
		setup        func()
		hasToken     bool
		hasCode      bool
	}{
		{
			description:  "should pass without id token",
			responseType: "token",
			setup: func() {
				oauthClient.Scopes = []string{"fosite"}
			},
		},
		{

			responseType: "id_token%20token",
			nonce:        "1111111111111111",
			description:  "should pass id token (id_token token)",
			setup: func() {
				oauthClient.Scopes = []string{"fosite", "openid"}
			},
			hasToken: true,
		},
		{

			responseType: "token%20id_token%20code",
			nonce:        "1111111111111111",
			description:  "should pass id token (id_token token)",
			setup:        func() {},
			hasToken:     true,
			hasCode:      true,
		},
	} {
		c.setup()

		var callbackURL *url.URL
		authURL := strings.Replace(oauthClient.AuthCodeURL(state), "response_type=code", "response_type="+c.responseType, -1) + "&nonce=" + c.nonce
		client := &http.Client{
			CheckRedirect: func(req *http.Request, via []*http.Request) error {
				callbackURL = req.URL
				return errors.New("Dont follow redirects")
			},
		}
		resp, err := client.Get(authURL)
		require.NotNil(t, err, "(%d) %s", k, c.description)

		t.Logf("Response: %s", callbackURL.String())
		fragment, err := url.ParseQuery(callbackURL.Fragment)
		require.Nil(t, err, "(%d) %s", k, c.description)

		expires, err := strconv.Atoi(fragment.Get("expires_in"))
		require.Nil(t, err, "(%d) %s", k, c.description)

		token := &oauth2.Token{
			AccessToken:  fragment.Get("access_token"),
			TokenType:    fragment.Get("token_type"),
			RefreshToken: fragment.Get("refresh_token"),
			Expiry:       time.Now().Add(time.Duration(expires) * time.Second),
		}

		if c.hasToken {
			assert.NotEmpty(t, fragment.Get("id_token"), "(%d) %s", k, c.description)
		} else {
			assert.Empty(t, fragment.Get("id_token"), "(%d) %s", k, c.description)
		}

		if c.hasCode {
			assert.NotEmpty(t, fragment.Get("code"), "(%d) %s", k, c.description)
		} else {
			assert.Empty(t, fragment.Get("code"), "(%d) %s", k, c.description)
		}

		httpClient := oauthClient.Client(oauth2.NoContext, token)
		resp, err = httpClient.Get(ts.URL + "/info")
		require.Nil(t, err, "(%d) %s", k, c.description)
		assert.Equal(t, http.StatusNoContent, resp.StatusCode, "(%d) %s", k, c.description)
		t.Logf("Passed test case (%d) %s", k, c.description)
	}
}
Пример #5
0
	"time"

	"github.com/golang/mock/gomock"
	"github.com/ory-am/fosite"
	"github.com/ory-am/fosite/handler/oauth2"
	"github.com/ory-am/fosite/internal"
	"github.com/ory-am/fosite/storage"
	"github.com/ory-am/fosite/token/hmac"
	"github.com/ory-am/fosite/token/jwt"
	"github.com/pkg/errors"
	"github.com/stretchr/testify/assert"
)

var idStrategy = &DefaultStrategy{
	RS256JWTStrategy: &jwt.RS256JWTStrategy{
		PrivateKey: internal.MustRSAKey(),
	},
}

var hmacStrategy = &oauth2.HMACSHAStrategy{
	Enigma: &hmac.HMACStrategy{
		GlobalSecret: []byte("some-super-cool-secret-that-nobody-knows"),
	},
}

type defaultSession struct {
	Claims  *jwt.IDTokenClaims
	Headers *jwt.Headers
	*fosite.DefaultSession
}
Пример #6
0
func TestOpenIDConnectExplicitFlow(t *testing.T) {
	session := &defaultSession{
		DefaultSession: &openid.DefaultSession{
			Claims: &jwt.IDTokenClaims{
				Subject: "peter",
			},
			Headers: &jwt.Headers{},
		},
	}
	f := compose.ComposeAllEnabled(new(compose.Config), fositeStore, []byte("some-secret-thats-random"), internal.MustRSAKey())
	ts := mockServer(t, f, session)

	defer ts.Close()
	oauthClient := newOAuth2Client(ts)
	fositeStore.Clients["my-client"].RedirectURIs[0] = ts.URL + "/callback"

	var state string
	for k, c := range []struct {
		description    string
		setup          func()
		authStatusCode int
	}{
		{
			description: "should pass",
			setup: func() {
				state = "12345678901234567890"
				oauthClient.Scopes = []string{"openid"}
			},
			authStatusCode: http.StatusOK,
		},
	} {
		c.setup()

		resp, err := http.Get(oauthClient.AuthCodeURL(state) + "&nonce=1234567890")
		require.Nil(t, err)
		require.Equal(t, c.authStatusCode, resp.StatusCode, "(%d) %s", k, c.description)

		if resp.StatusCode == http.StatusOK {
			token, err := oauthClient.Exchange(oauth2.NoContext, resp.Request.URL.Query().Get("code"))
			fmt.Printf("after exchange: %s\n\n", fositeStore.AuthorizeCodes)
			require.Nil(t, err, "(%d) %s", k, c.description)
			require.NotEmpty(t, token.AccessToken, "(%d) %s", k, c.description)
			require.NotEmpty(t, token.Extra("id_token"), "(%d) %s", k, c.description)
		}
		t.Logf("Passed test case (%d) %s", k, c.description)
	}
}